Security Issue with Passwords

[Dan-Peck]

Using the Developer Portal Registrations process with the intention to create an OAuth Application so we can integrate with Sycamore School API, there are multiple issues that have left my account in an insecure state:

1- Initial password is sent in clear-text, and also includes the username with it.

2- Worse, however, is that the change-password form does not work -- once I found the submit button, clicking it causes the upper title bar to read: "`oops!... There seems to be an error with this page.", and the center area to be blank/empty content, or even returns me back to the Developer Portal login form, sometimes. The password never changes, either, since it takes the original one to log back in.

3- Unfortunately the "Help" feature does not work at this stage, either, because after clicking "Help", then "Next", it returns me to the page saying "You are required to change your password"! Which led me to creating this Issue, instead.

I have tried multiple browsers (Chrome 108.0.5359.126 on Win 10, and Edge 109.0.1518.55), both in normal and Incognito mode without Extensions. I have tried different passwords of varying characters and lengths.

Just prior to submitting:

After submitting:

In the Chrome debugger, I can see the URL gets a 500 error when trying to POST to https://app.sycamoreschool.com/developer/password.php, and the content prints out standard type of heading stuff, and then gets just inside the BODY tag (of which there are actually two!), then prints out a CloudFlare beacon script and then ends. For reference, here is a portion of the page HTML (with some data cleaned out in case it is sensitive data):

        <SCRIPT type='text/javascript'>
        $(document).ready(function(){
        var toastrSkip = ['/admissions/header.php','/admissions/login.php','/admissions/home.php','/admissions/menu.php','/admissions/login.inc','/admissions/index.php','/admissions/'];
        if($.inArray(location.pathname,toastrSkip) == -1) {
            if(location.pathname.search('admissions/') != -1) {
                if(window.toast){
                    window.parent.frames['header'].getToast(window.toast);
                    window.toast = null;
                }
            }
        }
    });
    </SCRIPT>
    <SCRIPT type="text/javascript" type="text/javascript" src=password.js></SCRIPT>

</HEAD>
<BODY>

 <BODY style='margin: 0px 10px 0px 10px;' > <script defer src="https://static.cloudflareinsights.com/beacon.min.js/vaafxxxxxxxxxxxxxxxxxxxxxxxxxxx" integrity="sha512-0ahDYl866UMhKuYcW078ScMalXqtFJggm7TmlUtp0UlD4eQk0Ixfnm5ykXKvGJNFjLMoortdseTfsRT8oCfgGA==" data-cf-beacon='{"rayId":"78b1c8e54ef42d26","token":"xxxxxxxxxxxxxxxxxxxxxxx","version":"2022.11.3","si":100}' crossorigin="anonymous"></script>

[Dan-Peck]

There was also a 404 Not Found issue when it first loaded trying to retrieve this file:

https://app.sycamoreschool.com/jquery.js